search

Deltares-research / coastviewer

Coast viewer server side. Serves several sources as KML and geojson.
Other
5 stars 2 forks source link

Scheduled biweekly dependency update for week 46 #130

Closed pyup-bot closed 3 years ago

pyup-bot commented 3 years ago

Update cryptography from 2.8 to 3.2.1.

Changelog ### 3.2 ``` ~~~~~~~~~~~~~~~~ * **SECURITY ISSUE:** Attempted to make RSA PKCS1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to **Hubert Kario** for reporting the issue. *CVE-2020-25659* * Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade. * Added basic support for PKCS7 signing (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`. .. _v3-1-1: ``` ### 3.1.1 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1h. .. _v3-1: ``` ### 3.1 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5. * Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by the OpenSSL project. The next version of ``cryptography`` will drop support for it. * Deprecated support for Python 3.5. This version sees very little use and will be removed in the next release. * ``backend`` arguments to functions are no longer required and the default backend will automatically be selected if no ``backend`` is provided. * Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` . * Calling ``update`` or ``update_into`` on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This also resolves the same issue in :doc:`/fernet`. .. _v3-0: ``` ### 3.0 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Removed support for passing an :class:`~cryptography.x509.Extension` instance to :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`, as per our deprecation policy. * **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+ is still supported). * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer. * **BACKWARDS INCOMPATIBLE:** RSA :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` no longer accepts ``public_exponent`` values except 65537 and 3 (the latter for legacy purposes). * **BACKWARDS INCOMPATIBLE:** X.509 certificate parsing now enforces that the ``version`` field contains a valid value, rather than deferring this check until :attr:`~cryptography.x509.Certificate.version` is accessed. * Deprecated support for Python 2. At the time there is no time table for actually dropping support, however we strongly encourage all users to upgrade their Python, as Python 2 no longer receives support from the Python core team. If you have trouble suppressing this warning in tests view the :ref:`FAQ entry addressing this issue <faq-howto-handle-deprecation-warning>`. * Added support for ``OpenSSH`` serialization format for ``ec``, ``ed25519``, ``rsa`` and ``dsa`` private keys: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` for loading and :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH` for writing. * Added support for ``OpenSSH`` certificates to :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`. * Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to :class:`~cryptography.fernet.Fernet`. * Added support for the :class:`~cryptography.x509.SubjectInformationAccess` X.509 extension. * Added support for parsing :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses. * Added support for parsing attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`. * Added support for encoding attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`. * On OpenSSL 1.1.1d and higher ``cryptography`` now uses OpenSSL's built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork. * Added initial support for creating PKCS12 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`. .. _v2-9-2: ``` ### 2.9.2 ``` ~~~~~~~~~~~~~~~~~~ * Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15. .. _v2-9-1: ``` ### 2.9.1 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1g. .. _v2-9: ``` ### 2.9 ``` ~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to low usage and maintenance burden. * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed. * Removed support for calling :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes` with no arguments, as per our deprecation policy. You must now pass ``encoding`` and ``format``. * **BACKWARDS INCOMPATIBLE:** Reversed the order in which :meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs as required by :rfc:`4514`. * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1f. * Added support for parsing :attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP response. * :class:`~cryptography.x509.NameAttribute` values can now be empty strings. .. _v2-8: ```
Links - PyPI: https://pypi.org/project/cryptography - Changelog: https://pyup.io/changelogs/cryptography/ - Repo: https://github.com/pyca/cryptography

Update Flask-Cors from 3.0.3 to 3.0.9.

Changelog ### 3.0.9 ``` Security - Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for "/api/*" whereas the path actually expands simply to "/foo.txt" ``` ### 3.0.8 ``` Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7. Thank you juanmaneo and jdevera for the contribution. ``` ### 3.0.7 ``` Updated logging.warn to logging.warning (234) Thanks Vaibhav ``` ### 3.0.6 ``` Manual error in release process. Identical contents at 3.0.5. ``` ### 3.0.5 ``` Fixes incorrect handling of regexes containg `[`, and a few other special characters. Fixes Issue [212](https://github.com/corydolphin/flask-cors/issues/212) ``` ### 3.0.4 ``` Handle response.headers being None. (Fixes issue 217) ```
Links - PyPI: https://pypi.org/project/flask-cors - Changelog: https://pyup.io/changelogs/flask-cors/ - Repo: https://github.com/corydolphin/flask-cors

Update PyYAML from 5.3 to 5.3.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links - PyPI: https://pypi.org/project/pyyaml - Repo: https://github.com/yaml/pyyaml

Update urllib3 from 1.25.7 to 1.26.2.

Changelog ### 1.26.2 ``` ------------------- * Fixed an issue where ``wrap_socket`` and ``CERT_REQUIRED`` wouldn't be imported properly on Python 2.7.8 and earlier (Pull 2052) ``` ### 1.26.1 ``` ------------------- * Fixed an issue where two ``User-Agent`` headers would be sent if a ``User-Agent`` header key is passed as ``bytes`` (Pull 2047) ``` ### 1.26.0 ``` ------------------- * **NOTE: urllib3 v2.0 will drop support for Python 2**. `Read more in the v2.0 Roadmap <https://urllib3.readthedocs.io/en/latest/v2-roadmap.html>`_. * Added support for HTTPS proxies contacting HTTPS servers (Pull 1923, Pull 1806) * Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ``ssl_version=ssl.PROTOCOL_TLSv1_1`` (Pull 2002) **Starting in urllib3 v2.0: Connections that receive a ``DeprecationWarning`` will fail** * Deprecated ``Retry`` options ``Retry.DEFAULT_METHOD_WHITELIST``, ``Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST`` and ``Retry(method_whitelist=...)`` in favor of ``Retry.DEFAULT_ALLOWED_METHODS``, ``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)`` (Pull 2000) **Starting in urllib3 v2.0: Deprecated options will be removed** * Added default ``User-Agent`` header to every request (Pull 1750) * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``, and ``Host`` headers from being automatically emitted with requests (Pull 2018) * Collapse ``transfer-encoding: chunked`` request data and framing into the same ``socket.send()`` call (Pull 1906) * Send ``http/1.1`` ALPN identifier with every TLS handshake by default (Pull 1894) * Properly terminate SecureTransport connections when CA verification fails (Pull 1977) * Don't emit an ``SNIMissingWarning`` when passing ``server_hostname=None`` to SecureTransport (Pull 1903) * Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull 1970) * Suppress ``BrokenPipeError`` when writing request body after the server has closed the socket (Pull 1524) * Wrap ``ssl.SSLError`` that can be raised from reading a socket (e.g. "bad MAC") into an ``urllib3.exceptions.SSLError`` (Pull 1939) ``` ### 1.25.11 ``` -------------------- * Fix retry backoff time parsed from ``Retry-After`` header when given in the HTTP date format. The HTTP date was parsed as the local timezone rather than accounting for the timezone in the HTTP date (typically UTC) (Pull 1932, Pull 1935, Pull 1938, Pull 1949) * Fix issue where an error would be raised when the ``SSLKEYLOGFILE`` environment variable was set to the empty string. Now ``SSLContext.keylog_file`` is not set in this situation (Pull 2016) ``` ### 1.25.10 ``` -------------------- * Added support for ``SSLKEYLOGFILE`` environment variable for logging TLS session keys with use with programs like Wireshark for decrypting captured web traffic (Pull 1867) * Fixed loading of SecureTransport libraries on macOS Big Sur due to the new dynamic linker cache (Pull 1905) * Collapse chunked request bodies data and framing into one call to ``send()`` to reduce the number of TCP packets by 2-4x (Pull 1906) * Don't insert ``None`` into ``ConnectionPool`` if the pool was empty when requesting a connection (Pull 1866) * Avoid ``hasattr`` call in ``BrotliDecoder.decompress()`` (Pull 1858) ``` ### 1.25.9 ``` ------------------- * Added ``InvalidProxyConfigurationWarning`` which is raised when erroneously specifying an HTTPS proxy URL. urllib3 doesn't currently support connecting to HTTPS proxies but will soon be able to and we would like users to migrate properly without much breakage. See `this GitHub issue <https://github.com/urllib3/urllib3/issues/1850>`_ for more information on how to fix your proxy config. (Pull 1851) * Drain connection after ``PoolManager`` redirect (Pull 1817) * Ensure ``load_verify_locations`` raises ``SSLError`` for all backends (Pull 1812) * Rename ``VerifiedHTTPSConnection`` to ``HTTPSConnection`` (Pull 1805) * Allow the CA certificate data to be passed as a string (Pull 1804) * Raise ``ValueError`` if method contains control characters (Pull 1800) * Add ``__repr__`` to ``Timeout`` (Pull 1795) ``` ### 1.25.8 ``` ------------------- * Drop support for EOL Python 3.4 (Pull 1774) * Optimize _encode_invalid_chars (Pull 1787) ```
Links - PyPI: https://pypi.org/project/urllib3 - Changelog: https://pyup.io/changelogs/urllib3/ - Docs: https://urllib3.readthedocs.io/

Update pip from 9.0.1 to 20.2.4.

Changelog ### 20.2.4 ``` =================== Deprecations and Removals ------------------------- - Document that certain removals can be fast tracked. (`8417 <https://github.com/pypa/pip/issues/8417>`_) - Document that Python versions are generally supported until PyPI usage falls below 5%. (`8927 <https://github.com/pypa/pip/issues/8927>`_) Features -------- - New resolver: Avoid accessing indexes when the installed candidate is preferred and considered good enough. (`8023 <https://github.com/pypa/pip/issues/8023>`_) - Improve error message friendliness when an environment has packages with corrupted metadata. (`8676 <https://github.com/pypa/pip/issues/8676>`_) - Cache package listings on index packages so they are guarenteed to stay stable during a pip command session. This also improves performance when a index page is accessed multiple times during the command session. (`8905 <https://github.com/pypa/pip/issues/8905>`_) - New resolver: Tweak resolution logic to improve user experience when user-supplied requirements conflict. (`8924 <https://github.com/pypa/pip/issues/8924>`_) Bug Fixes --------- - New resolver: Correctly respect ``Requires-Python`` metadata to reject incompatible packages in ``--no-deps`` mode. (`8758 <https://github.com/pypa/pip/issues/8758>`_) - New resolver: Pick up hash declarations in constraints files and use them to filter available distributions. (`8792 <https://github.com/pypa/pip/issues/8792>`_) - New resolver: If a package appears multiple times in user specification with different ``--hash`` options, only hashes that present in all specifications should be allowed. (`8839 <https://github.com/pypa/pip/issues/8839>`_) Improved Documentation ---------------------- - Add ux documentation (`8807 <https://github.com/pypa/pip/issues/8807>`_) ``` ### 20.2.3 ``` =================== Deprecations and Removals ------------------------- - Deprecate support for Python 3.5 (`8181 <https://github.com/pypa/pip/issues/8181>`_) Features -------- - Make the ``setup.py install`` deprecation warning less noisy. We warn only when ``setup.py install`` succeeded and ``setup.py bdist_wheel`` failed, as situations where both fails are most probably irrelevant to this deprecation. (`8752 <https://github.com/pypa/pip/issues/8752>`_) ``` ### 20.2.2 ``` =================== Bug Fixes --------- - Only attempt to use the keyring once and if it fails, don't try again. This prevents spamming users with several keyring unlock prompts when they cannot unlock or don't want to do so. (`8090 <https://github.com/pypa/pip/issues/8090>`_) - Fix regression that distributions in system site-packages are not correctly found when a virtual environment is configured with ``system-site-packages`` on. (`8695 <https://github.com/pypa/pip/issues/8695>`_) - Disable caching for range requests, which causes corrupted wheels when pip tries to obtain metadata using the feature ``fast-deps``. (`8701 <https://github.com/pypa/pip/issues/8701>`_, `8716 <https://github.com/pypa/pip/issues/8716>`_) - Always use UTF-8 to read ``pyvenv.cfg`` to match the built-in ``venv``. (`8717 <https://github.com/pypa/pip/issues/8717>`_) - 2020 Resolver: Correctly handle marker evaluation in constraints and exclude them if their markers do not match the current environment. (`8724 <https://github.com/pypa/pip/issues/8724>`_) ``` ### 20.2.1 ``` =================== Features -------- - Ignore require-virtualenv in ``pip list`` (`8603 <https://github.com/pypa/pip/issues/8603>`_) Bug Fixes --------- - Correctly find already-installed distributions with dot (``.``) in the name and uninstall them when needed. (`8645 <https://github.com/pypa/pip/issues/8645>`_) - Trace a better error message on installation failure due to invalid ``.data`` files in wheels. (`8654 <https://github.com/pypa/pip/issues/8654>`_) - Fix SVN version detection for alternative SVN distributions. (`8665 <https://github.com/pypa/pip/issues/8665>`_) - New resolver: Correctly include the base package when specified with extras in ``--no-deps`` mode. (`8677 <https://github.com/pypa/pip/issues/8677>`_) - Use UTF-8 to handle ZIP archive entries on Python 2 according to PEP 427, so non-ASCII paths can be resolved as expected. (`8684 <https://github.com/pypa/pip/issues/8684>`_) Improved Documentation ---------------------- - Add details on old resolver deprecation and removal to migration documentation. (`8371 <https://github.com/pypa/pip/issues/8371>`_) - Fix feature flag name in docs. (`8660 <https://github.com/pypa/pip/issues/8660>`_) ``` ### 20.2 ``` ================= Deprecations and Removals ------------------------- - Deprecate setup.py-based builds that do not generate an ``.egg-info`` directory. (`6998 <https://github.com/pypa/pip/issues/6998>`_, `8617 <https://github.com/pypa/pip/issues/8617>`_) - Disallow passing install-location-related arguments in ``--install-options``. (`7309 <https://github.com/pypa/pip/issues/7309>`_) - Add deprecation warning for invalid requirements format "base>=1.0[extra]" (`8288 <https://github.com/pypa/pip/issues/8288>`_) - Deprecate legacy setup.py install when building a wheel failed for source distributions without pyproject.toml (`8368 <https://github.com/pypa/pip/issues/8368>`_) - Deprecate -b/--build/--build-dir/--build-directory. Its current behaviour is confusing and breaks in case different versions of the same distribution need to be built during the resolution process. Using the TMPDIR/TEMP/TMP environment variable, possibly combined with --no-clean covers known use cases. (`8372 <https://github.com/pypa/pip/issues/8372>`_) - Remove undocumented and deprecated option ``--always-unzip`` (`8408 <https://github.com/pypa/pip/issues/8408>`_) Features -------- - Log debugging information about pip, in ``pip install --verbose``. (`3166 <https://github.com/pypa/pip/issues/3166>`_) - Refine error messages to avoid showing Python tracebacks when an HTTP error occurs. (`5380 <https://github.com/pypa/pip/issues/5380>`_) - Install wheel files directly instead of extracting them to a temp directory. (`6030 <https://github.com/pypa/pip/issues/6030>`_) - Add a beta version of pip's next-generation dependency resolver. Move pip's new resolver into beta, remove the ``--unstable-feature=resolver`` flag, and enable the ``--use-feature=2020-resolver`` flag. The new resolver is significantly stricter and more consistent when it receives incompatible instructions, and reduces support for certain kinds of :ref:`Constraints Files`, so some workarounds and workflows may break. More details about how to test and migrate, and how to report issues, at :ref:`Resolver changes 2020` . Maintainers are preparing to ``` ### 20.2b1 ``` =================== Bug Fixes --------- - Correctly treat wheels containing non-ASCII file contents so they can be installed on Windows. (`5712 <https://github.com/pypa/pip/issues/5712>`_) - Prompt the user for password if the keyring backend doesn't return one (`7998 <https://github.com/pypa/pip/issues/7998>`_) Improved Documentation ---------------------- - Add GitHub issue template for reporting when the dependency resolver fails (`8207 <https://github.com/pypa/pip/issues/8207>`_) ``` ### 20.1.1 ``` =================== Deprecations and Removals ------------------------- - Revert building of local directories in place, restoring the pre-20.1 behaviour of copying to a temporary directory. (`7555 <https://github.com/pypa/pip/issues/7555>`_) - Drop parallelization from ``pip list --outdated``. (`8167 <https://github.com/pypa/pip/issues/8167>`_) Bug Fixes --------- - Fix metadata permission issues when umask has the executable bit set. (`8164 <https://github.com/pypa/pip/issues/8164>`_) - Avoid unnecessary message about the wheel package not being installed when a wheel would not have been built. Additionally, clarify the message. (`8178 <https://github.com/pypa/pip/issues/8178>`_) ``` ### 20.1 ``` ================= Process ------- - Document that pip 21.0 will drop support for Python 2.7. Features -------- - Add ``pip cache dir`` to show the cache directory. (`7350 <https://github.com/pypa/pip/issues/7350>`_) Bug Fixes --------- - Abort pip cache commands early when cache is disabled. (`8124 <https://github.com/pypa/pip/issues/8124>`_) - Correctly set permissions on metadata files during wheel installation, to permit non-privileged users to read from system site-packages. (`8139 <https://github.com/pypa/pip/issues/8139>`_) ``` ### 20.1b1 ``` =================== Deprecations and Removals ------------------------- - Remove emails from AUTHORS.txt to prevent usage for spamming, and only populate names in AUTHORS.txt at time of release (`5979 <https://github.com/pypa/pip/issues/5979>`_) - Remove deprecated ``--skip-requirements-regex`` option. (`7297 <https://github.com/pypa/pip/issues/7297>`_) - Building of local directories is now done in place, instead of a temporary location containing a copy of the directory tree. (`7555 <https://github.com/pypa/pip/issues/7555>`_) - Remove unused ``tests/scripts/test_all_pip.py`` test script and the ``tests/scripts`` folder. (`7680 <https://github.com/pypa/pip/issues/7680>`_) Features -------- - pip now implements PEP 610, so ``pip freeze`` has better fidelity in presence of distributions installed from Direct URL requirements. (`609 <https://github.com/pypa/pip/issues/609>`_) - Add ``pip cache`` command for inspecting/managing pip's wheel cache. (`6391 <https://github.com/pypa/pip/issues/6391>`_) - Raise error if ``--user`` and ``--target`` are used together in ``pip install`` (`7249 <https://github.com/pypa/pip/issues/7249>`_) - Significantly improve performance when ``--find-links`` points to a very large HTML page. (`7729 <https://github.com/pypa/pip/issues/7729>`_) - Indicate when wheel building is skipped, due to lack of the ``wheel`` package. (`7768 <https://github.com/pypa/pip/issues/7768>`_) - Change default behaviour to always cache responses from trusted-host source. (`7847 <https://github.com/pypa/pip/issues/7847>`_) - An alpha version of a new resolver is available via ``--unstable-feature=resolver``. (`988 <https://github.com/pypa/pip/issues/988>`_) Bug Fixes --------- - Correctly freeze a VCS editable package when it is nested inside another VCS repository. (`3988 <https://github.com/pypa/pip/issues/3988>`_) - Correctly handle ``%2F`` in URL parameters to avoid accidentally unescape them into ``/``. (`6446 <https://github.com/pypa/pip/issues/6446>`_) - Reject VCS URLs with an empty revision. (`7402 <https://github.com/pypa/pip/issues/7402>`_) - Warn when an invalid URL is passed with ``--index-url`` (`7430 <https://github.com/pypa/pip/issues/7430>`_) - Use better mechanism for handling temporary files, when recording metadata about installed files (RECORD) and the installer (INSTALLER). (`7699 <https://github.com/pypa/pip/issues/7699>`_) - Correctly detect global site-packages availability of virtual environments created by PyPA’s virtualenv>=20.0. (`7718 <https://github.com/pypa/pip/issues/7718>`_) - Remove current directory from ``sys.path`` when invoked as ``python -m pip <command>`` (`7731 <https://github.com/pypa/pip/issues/7731>`_) - Stop failing uninstallation, when trying to remove non-existent files. (`7856 <https://github.com/pypa/pip/issues/7856>`_) - Prevent an infinite recursion with ``pip wheel`` when ``$TMPDIR`` is within the source directory. (`7872 <https://github.com/pypa/pip/issues/7872>`_) - Significantly speedup ``pip list --outdated`` by parallelizing index interaction. (`7962 <https://github.com/pypa/pip/issues/7962>`_) - Improve Windows compatibility when detecting writability in folder. (`8013 <https://github.com/pypa/pip/issues/8013>`_) Vendored Libraries ------------------ - Update semi-supported debundling script to reflect that appdirs is vendored. - Add ResolveLib as a vendored dependency. - Upgrade certifi to 2020.04.05.1 - Upgrade contextlib2 to 0.6.0.post1 - Upgrade distro to 1.5.0. - Upgrade idna to 2.9. - Upgrade msgpack to 1.0.0. - Upgrade packaging to 20.3. - Upgrade pep517 to 0.8.2. - Upgrade pyparsing to 2.4.7. - Remove pytoml as a vendored dependency. - Upgrade requests to 2.23.0. - Add toml as a vendored dependency. - Upgrade urllib3 to 1.25.8. Improved Documentation ---------------------- - Emphasize that VCS URLs using git, git+git and git+http are insecure due to lack of authentication and encryption (`1983 <https://github.com/pypa/pip/issues/1983>`_) - Clarify the usage of --no-binary command. (`3191 <https://github.com/pypa/pip/issues/3191>`_) - Clarify the usage of freeze command in the example of Using pip in your program (`7008 <https://github.com/pypa/pip/issues/7008>`_) - Add a "Copyright" page. (`7767 <https://github.com/pypa/pip/issues/7767>`_) - Added example of defining multiple values for options which support them (`7803 <https://github.com/pypa/pip/issues/7803>`_) ``` ### 20.0.2 ``` =================== Bug Fixes --------- - Fix a regression in generation of compatibility tags. (`7626 <https://github.com/pypa/pip/issues/7626>`_) Vendored Libraries ------------------ - Upgrade packaging to 20.1 ``` ### 20.0.1 ``` =================== Bug Fixes --------- - Rename an internal module, to avoid ImportErrors due to improper uninstallation. (`7621 <https://github.com/pypa/pip/issues/7621>`_) ``` ### 20.0 ``` ================= Process ------- - Switch to a dedicated CLI tool for vendoring dependencies. Deprecations and Removals ------------------------- - Remove wheel tag calculation from pip and use ``packaging.tags``. This should provide more tags ordered better than in prior releases. (`6908 <https://github.com/pypa/pip/issues/6908>`_) - Deprecate setup.py-based builds that do not generate an ``.egg-info`` directory. (`6998 <https://github.com/pypa/pip/issues/6998>`_) - The pip>=20 wheel cache is not retro-compatible with previous versions. Until pip 21.0, pip will continue to take advantage of existing legacy cache entries. (`7296 <https://github.com/pypa/pip/issues/7296>`_) - Deprecate undocumented ``--skip-requirements-regex`` option. (`7297 <https://github.com/pypa/pip/issues/7297>`_) - Deprecate passing install-location-related options via ``--install-option``. (`7309 <https://github.com/pypa/pip/issues/7309>`_) - Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384 which only defines it for this platform. (`7327 <https://github.com/pypa/pip/issues/7327>`_) - Remove interpreter-specific major version tag e.g. ``cp3-none-any`` from consideration. This behavior was not documented strictly, and this tag in particular is `not useful <https://snarky.ca/the-challenges-in-designing-a-library-for-pep-425/>`_. Anyone with a use case can create an issue with pypa/packaging. (`7355 <https://github.com/pypa/pip/issues/7355>`_) - Wheel processing no longer permits wheels containing more than one top-level .dist-info directory. (`7487 <https://github.com/pypa/pip/issues/7487>`_) - Support for the ``git+git`` form of VCS requirement is being deprecated and will be removed in pip 21.0. Switch to ``git+https://`` or ``git+ssh://``. ``git+git://`` also works but its use is discouraged as it is insecure. (`7543 <https://github.com/pypa/pip/issues/7543>`_) Features -------- - Default to doing a user install (as if ``--user`` was passed) when the main site-packages directory is not writeable and user site-packages are enabled. (`1668 <https://github.com/pypa/pip/issues/1668>`_) - Warn if a path in PATH starts with tilde during ``pip install``. (`6414 <https://github.com/pypa/pip/issues/6414>`_) - Cache wheels built from Git requirements that are considered immutable, because they point to a commit hash. (`6640 <https://github.com/pypa/pip/issues/6640>`_) - Add option ``--no-python-version-warning`` to silence warnings related to deprecation of Python versions. (`6673 <https://github.com/pypa/pip/issues/6673>`_) - Cache wheels that ``pip wheel`` built locally, matching what ``pip install`` does. This particularly helps performance in workflows where ``pip wheel`` is used for `building before installing <https://pip.pypa.io/en/stable/user_guide/installing-from-local-packages>`_. Users desiring the original behavior can use ``pip wheel --no-cache-dir``. (`6852 <https://github.com/pypa/pip/issues/6852>`_) - Display CA information in ``pip debug``. (`7146 <https://github.com/pypa/pip/issues/7146>`_) - Show only the filename (instead of full URL), when downloading from PyPI. (`7225 <https://github.com/pypa/pip/issues/7225>`_) - Suggest a more robust command to upgrade pip itself to avoid confusion when the current pip command is not available as ``pip``. (`7376 <https://github.com/pypa/pip/issues/7376>`_) - Define all old pip console script entrypoints to prevent import issues in stale wrapper scripts. (`7498 <https://github.com/pypa/pip/issues/7498>`_) - The build step of ``pip wheel`` now builds all wheels to a cache first, then copies them to the wheel directory all at once. Before, it built them to a temporary directory and moved them to the wheel directory one by one. (`7517 <https://github.com/pypa/pip/issues/7517>`_) - Expand ``~`` prefix to user directory in path options, configs, and environment variables. Values that may be either URL or path are not currently supported, to avoid ambiguity: * ``--find-links`` * ``--constraint``, ``-c`` * ``--requirement``, ``-r`` * ``--editable``, ``-e`` (`980 <https://github.com/pypa/pip/issues/980>`_) Bug Fixes --------- - Correctly handle system site-packages, in virtual environments created with venv (PEP 405). (`5702 <https://github.com/pypa/pip/issues/5702>`_, `7155 <https://github.com/pypa/pip/issues/7155>`_) - Fix case sensitive comparison of pip freeze when used with -r option. (`5716 <https://github.com/pypa/pip/issues/5716>`_) - Enforce PEP 508 requirement format in ``pyproject.toml`` ``build-system.requires``. (`6410 <https://github.com/pypa/pip/issues/6410>`_) - Make ``ensure_dir()`` also ignore ``ENOTEMPTY`` as seen on Windows. (`6426 <https://github.com/pypa/pip/issues/6426>`_) - Fix building packages which specify ``backend-path`` in pyproject.toml. (`6599 <https://github.com/pypa/pip/issues/6599>`_) - Do not attempt to run ``setup.py clean`` after a ``pep517`` build error, since a ``setup.py`` may not exist in that case. (`6642 <https://github.com/pypa/pip/issues/6642>`_) - Fix passwords being visible in the index-url in "Downloading <url>" message. (`6783 <https://github.com/pypa/pip/issues/6783>`_) - Change method from shutil.remove to shutil.rmtree in noxfile.py. (`7191 <https://github.com/pypa/pip/issues/7191>`_) - Skip running tests which require subversion, when svn isn't installed (`7193 <https://github.com/pypa/pip/issues/7193>`_) - Fix not sending client certificates when using ``--trusted-host``. (`7207 <https://github.com/pypa/pip/issues/7207>`_) - Make sure ``pip wheel`` never outputs pure python wheels with a python implementation tag. Better fix/workaround for `3025 <https://github.com/pypa/pip/issues/3025>`_ by using a per-implementation wheel cache instead of caching pure python wheels with an implementation tag in their name. (`7296 <https://github.com/pypa/pip/issues/7296>`_) - Include ``subdirectory`` URL fragments in cache keys. (`7333 <https://github.com/pypa/pip/issues/7333>`_) - Fix typo in warning message when any of ``--build-option``, ``--global-option`` and ``--install-option`` is used in requirements.txt (`7340 <https://github.com/pypa/pip/issues/7340>`_) - Fix the logging of cached HTTP response shown as downloading. (`7393 <https://github.com/pypa/pip/issues/7393>`_) - Effectively disable the wheel cache when it is not writable, as is the case with the http cache. (`7488 <https://github.com/pypa/pip/issues/7488>`_) - Correctly handle relative cache directory provided via --cache-dir. (`7541 <https://github.com/pypa/pip/issues/7541>`_) Vendored Libraries ------------------ - Upgrade CacheControl to 0.12.5 - Upgrade certifi to 2019.9.11 - Upgrade colorama to 0.4.1 - Upgrade distlib to 0.2.9.post0 - Upgrade ipaddress to 1.0.22 - Update packaging to 20.0. - Upgrade pkg_resources (via setuptools) to 44.0.0 - Upgrade pyparsing to 2.4.2 - Upgrade six to 1.12.0 - Upgrade urllib3 to 1.25.6 Improved Documentation ---------------------- - Document that "coding: utf-8" is supported in requirements.txt (`7182 <https://github.com/pypa/pip/issues/7182>`_) - Explain how to get pip's source code in `Getting Started <https://pip.pypa.io/en/stable/development/getting-started/>`_ (`7197 <https://github.com/pypa/pip/issues/7197>`_) - Describe how basic authentication credentials in URLs work. (`7201 <https://github.com/pypa/pip/issues/7201>`_) - Add more clear installation instructions (`7222 <https://github.com/pypa/pip/issues/7222>`_) - Fix documentation links for index options (`7347 <https://github.com/pypa/pip/issues/7347>`_) - Better document the requirements file format (`7385 <https://github.com/pypa/pip/issues/7385>`_) ``` ### 19.3.1 ``` =================== Features -------- - Document Python 3.8 support. (`7219 <https://github.com/pypa/pip/issues/7219>`_) Bug Fixes --------- - Fix bug that prevented installation of PEP 517 packages without ``setup.py``. (`6606 <https://github.com/pypa/pip/issues/6606>`_) ``` ### 19.3 ``` ================= Deprecations and Removals ------------------------- - Remove undocumented support for un-prefixed URL requirements pointing to SVN repositories. Users relying on this can get the original behavior by prefixing their URL with ``svn+`` (which is backwards-compatible). (`7037 <https://github.com/pypa/pip/issues/7037>`_) - Remove the deprecated ``--venv`` option from ``pip config``. (`7163 <https://github.com/pypa/pip/issues/7163>`_) Features -------- - Print a better error message when ``--no-binary`` or ``--only-binary`` is given an argument starting with ``-``. (`3191 <https://github.com/pypa/pip/issues/3191>`_) - Make ``pip show`` warn about packages not found. (`6858 <https://github.com/pypa/pip/issues/6858>`_) - Support including a port number in ``--trusted-host`` for both HTTP and HTTPS. (`6886 <https://github.com/pypa/pip/issues/6886>`_) - Redact single-part login credentials from URLs in log messages. (`6891 <https://github.com/pypa/pip/issues/6891>`_) - Implement manylinux2014 platform tag support. manylinux2014 is the successor to manylinux2010. It allows carefully compiled binary wheels to be installed on compatible Linux platforms. The manylinux2014 platform tag definition can be found in `PEP599 <https://www.python.org/dev/peps/pep-0599/>`_. (`7102 <https://github.com/pypa/pip/issues/7102>`_) Bug Fixes --------- - Abort installation if any archive contains a file which would be placed outside the extraction location. (`3907 <https://github.com/pypa/pip/issues/3907>`_) - pip's CLI completion code no longer prints a Traceback if it is interrupted. (`3942 <https://github.com/pypa/pip/issues/3942>`_) - Correct inconsistency related to the ``hg+file`` scheme. (`4358 <https://github.com/pypa/pip/issues/4358>`_) - Fix ``rmtree_errorhandler`` to skip non-existing directories. (`4910 <https://github.com/pypa/pip/issues/4910>`_) - Ignore errors copying socket files for local source installs (in Python 3). (`5306 <https://github.com/pypa/pip/issues/5306>`_) - Fix requirement line parser to correctly handle PEP 440 requirements with a URL pointing to an archive file. (`6202 <https://github.com/pypa/pip/issues/6202>`_) - The ``pip-wheel-metadata`` directory does not need to persist between invocations of pip, use a temporary directory instead of the current ``setup.py`` directory. (`6213 <https://github.com/pypa/pip/issues/6213>`_) - Fix ``--trusted-host`` processing under HTTPS to trust any port number used with the host. (`6705 <https://github.com/pypa/pip/issues/6705>`_) - Switch to new ``distlib`` wheel script template. This should be functionally equivalent for end users. (`6763 <https://github.com/pypa/pip/issues/6763>`_) - Skip copying .tox and .nox directories to temporary build directories (`6770 <https://github.com/pypa/pip/issues/6770>`_) - Fix handling of tokens (single part credentials) in URLs. (`6795 <https://github.com/pypa/pip/issues/6795>`_) - Fix a regression that caused ``~`` expansion not to occur in ``--find-links`` paths. (`6804 <https://github.com/pypa/pip/issues/6804>`_) - Fix bypassed pip upgrade warning on Windows. (`6841 <https://github.com/pypa/pip/issues/6841>`_) - Fix 'm' flag erroneously being appended to ABI tag in Python 3.8 on platforms that do not provide SOABI (`6885 <https://github.com/pypa/pip/issues/6885>`_) - Hide security-sensitive strings like passwords in log messages related to version control system (aka VCS) command invocations. (`6890 <https://github.com/pypa/pip/issues/6890>`_) - Correctly uninstall symlinks that were installed in a virtualenv, by tools such as ``flit install --symlink``. (`6892 <https://github.com/pypa/pip/issues/6892>`_) - Don't fail installation using pip.exe on Windows when pip wouldn't be upgraded. (`6924 <https://github.com/pypa/pip/issues/6924>`_) - Use canonical distribution names when computing ``Required-By`` in ``pip show``. (`6947 <https://github.com/pypa/pip/issues/6947>`_) - Don't use hardlinks for locking selfcheck state file. (`6954 <https://github.com/pypa/pip/issues/6954>`_) - Ignore "require_virtualenv" in ``pip config`` (`6991 <https://github.com/pypa/pip/issues/6991>`_) - Fix ``pip freeze`` not showing correct entry for mercurial packages that use subdirectories. (`7071 <https://github.com/pypa/pip/issues/7071>`_) - Fix a crash when ``sys.stdin`` is set to ``None``, such as on AWS Lambda. (`7118 <https://github.com/pypa/pip/issues/7118>`_, `7119 <https://github.com/pypa/pip/issues/7119>`_) Vendored Libraries ------------------ - Upgrade certifi to 2019.9.11 - Add contextlib2 0.6.0 as a vendored dependency. - Remove Lockfile as a vendored dependency. - Upgrade msgpack to 0.6.2 - Upgrade packaging to 19.2 - Upgrade pep517 to 0.7.0 - Upgrade pyparsing to 2.4.2 - Upgrade pytoml to 0.1.21 - Upgrade setuptools to 41.4.0 - Upgrade urllib3 to 1.25.6 Improved Documentation ---------------------- - Document caveats for UNC paths in uninstall and add .pth unit tests. (`6516 <https://github.com/pypa/pip/issues/6516>`_) - Add architectural overview documentation. (`6637 <https://github.com/pypa/pip/issues/6637>`_) - Document that ``--ignore-installed`` is dangerous. (`6794 <https://github.com/pypa/pip/issues/6794>`_) ``` ### 19.2.3 ``` =================== Bug Fixes --------- - Fix 'm' flag erroneously being appended to ABI tag in Python 3.8 on platforms that do not provide SOABI (`6885 <https://github.com/pypa/pip/issues/6885>`_) ``` ### 19.2.2 ``` =================== Bug Fixes --------- - Fix handling of tokens (single part credentials) in URLs. (`6795 <https://github.com/pypa/pip/issues/6795>`_) - Fix a regression that caused ``~`` expansion not to occur in ``--find-links`` paths. (`6804 <https://github.com/pypa/pip/issues/6804>`_) ``` ### 19.2.1 ``` =================== Bug Fixes --------- - Fix a ``NoneType`` ``AttributeError`` when evaluating hashes and no hashes are provided. (`6772 <https://github.com/pypa/pip/issues/6772>`_) ``` ### 19.2 ``` ================= Deprecations and Removals ------------------------- - Drop support for EOL Python 3.4. (`6685 <https://github.com/pypa/pip/issues/6685>`_) - Improve deprecation messages to include the version in which the functionality will be removed. (`6549 <https://github.com/pypa/pip/issues/6549>`_) Features -------- - Credentials will now be loaded using `keyring` when installed. (`5948 <https://github.com/pypa/pip/issues/5948>`_) - Fully support using ``--trusted-host`` inside requirements files. (`3799 <https://github.com/pypa/pip/issues/3799>`_) - Update timestamps in pip's ``--log`` file to include milliseconds. (`6587 <https://github.com/pypa/pip/issues/6587>`_) - Respect whether a file has been marked as "yanked" from a simple repository (see `PEP 592 <https://www.python.org/dev/peps/pep-0592/>`__ for details). (`6633 <https://github.com/pypa/pip/issues/6633>`_) - When choosing candidates to install, prefer candidates with a hash matching one of the user-provided hashes. (`5874 <https://github.com/pypa/pip/issues/5874>`_) - Improve the error message when ``METADATA`` or ``PKG-INFO`` is None when accessing metadata. (`5082 <https://github.com/pypa/pip/issues/5082>`_) - Add a new command ``pip debug`` that can display e.g. the list of compatible tags for the current Python. (`6638 <https://github.com/pypa/pip/issues/6638>`_) - Display hint on installing with --pre when search results include pre-release versions. (`5169 <https://github.com/pypa/pip/issues/5169>`_) - Report to Warehouse that pip is running under CI if the ``PIP_IS_CI`` environment variable is set. (`5499 <https://github.com/pypa/pip/issues/5499>`_) - Allow ``--python-version`` to be passed as a dotted version string (e.g. ``3.7`` or ``3.7.3``). (`6585 <https://github.com/pypa/pip/issues/6585>`_) - Log the final filename and SHA256 of a ``.whl`` file when done building a wheel. (`5908 <https://github.com/pypa/pip/issues/5908>`_) - Include the wheel's tags in the log message explanation when a candidate wheel link is found incompatible. (`6121 <https://github.com/pypa/pip/issues/6121>`_) - Add a ``--path`` argument to ``pip freeze`` to support ``--target`` installations. (`6404 <https://github.com/pypa/pip/issues/6404>`_) - Add a ``--path`` argument to ``pip list`` to support ``--target`` installations. (`6551 <https://github.com/pypa/pip/issues/6551>`_) Bug Fixes --------- - Set ``sys.argv[0]`` to the underlying ``setup.py`` when invoking ``setup.py`` via the setuptools shim so setuptools doesn't think the path is ``-c``. (`1890 <https://github.com/pypa/pip/issues/1890>`_) - Update ``pip download`` to respect the given ``--python-version`` when checking ``"Requires-Python"``. (`5369 <https://github.com/pypa/pip/issues/5369>`_) - Respect ``--global-option`` and ``--install-option`` when installing from a version control url (e.g. ``git``). (`5518 <https://github.com/pypa/pip/issues/5518>`_) - Make the "ascii" progress bar really be "ascii" and not Unicode. (`5671 <https://github.com/pypa/pip/issues/5671>`_) - Fail elegantly when trying to set an incorrectly formatted key in config. (`5963 <https://github.com/pypa/pip/issues/5963>`_) - Prevent DistutilsOptionError when prefix is indicated in the global environment and `--target` is used. (`6008 <https://github.com/pypa/pip/issues/6008>`_) - Fix ``pip install`` to respect ``--ignore-requires-python`` when evaluating links. (`6371 <https://github.com/pypa/pip/issues/6371>`_) - Fix a debug log message when freezing an editable, non-version controlled requirement. (`6383 <https://github.com/pypa/pip/issues/6383>`_) - Extend to Subversion 1.8+ the behavior of calling Subversion in interactive mode when pip is run interactively. (`6386 <https://github.com/pypa/pip/issues/6386>`_) - Prevent ``pip install <url>`` from permitting directory traversal if e.g. a malicious server sends a ``Content-Disposition`` header with a filename containing ``../`` or ``..\\``. (`6413 <https://github.com/pypa/pip/issues/6413>`_) - Hide passwords in output when using ``--find-links``. (`6489 <https://github.com/pypa/pip/issues/6489>`_) - Include more details in the log message if ``pip freeze`` can't generate a requirement string for a particular distribution. (`6513 <https://github.com/pypa/pip/issues/6513>`_) - Add the line number and file location to the error message when reading an invalid requirements file in certain situations. (`6527 <https://github.com/pypa/pip/issues/6527>`_) - Prefer ``os.confstr`` to ``ctypes`` when extracting glibc version info. (`6543 <https://github.com/pypa/pip/issues/6543>`_, `6675 <https://github.com/pypa/pip/issues/6675>`_) - Improve error message printed when an invalid editable requirement is provided. (`6648 <https://github.com/pypa/pip/issues/6648>`_) - Improve error message formatting when a command errors out in a subprocess. (`6651 <https://github.com/pypa/pip/issues/6651>`_) Vendored Libraries ------------------ - Upgrade certifi to 2019.6.16 - Upgrade distlib to 0.2.9.post0 - Upgrade msgpack to 0.6.1 - Upgrade requests to 2.22.0 - Upgrade urllib3 to 1.25.3 - Patch vendored html5lib, to prefer using `collections.abc` where possible. Improved Documentation ---------------------- - Document how Python 2.7 support will be maintained. (`6726 <https://github.com/pypa/pip/issues/6726>`_) - Upgrade Sphinx version used to build documentation. (`6471 <https://github.com/pypa/pip/issues/6471>`_) - Fix generation of subcommand manpages. (`6724 <https://github.com/pypa/pip/issues/6724>`_) - Mention that pip can install from git refs. (`6512 <https://github.com/pypa/pip/issues/6512>`_) - Replace a failing example of pip installs with extras with a working one. (`4733 <https://github.com/pypa/pip/issues/4733>`_) ``` ### 19.1.1 ``` =================== Features -------- - Restore ``pyproject.toml`` handling to how it was with pip 19.0.3 to prevent the need to add ``--no-use-pep517`` when installing in editable mode. (`6434 <https://github.com/pypa/pip/issues/6434>`_) Bug Fixes --------- - Fix a regression that caused `` to be quoted in pypiserver links. This interfered with parsing the revision string from VCS urls. (`6440 <https://github.com/pypa/pip/issues/6440>`_) ``` ### 19.1 ``` ================= Features -------- - Configuration files may now also be stored under ``sys.prefix`` (`5060 <https://github.com/pypa/pip/issues/5060>`_) - Avoid creating an unnecessary local clone of a Bazaar branch when exporting. (`5443 <https://github.com/pypa/pip/issues/5443>`_) - Include in pip's User-Agent string whether it looks like pip is running under CI. (`5499 <https://github.com/pypa/pip/issues/5499>`_) - A custom (JSON-encoded) string can now be added to pip's User-Agent using the ``PIP_USER_AGENT_USER_DATA`` environment variable. (`5549 <https://github.com/pypa/pip/issues/5549>`_) - For consistency, passing ``--no-cache-dir`` no longer affects whether wheels will be built. In this case, a temporary directory is used. (`5749 <https://github.com/pypa/pip/issues/5749>`_) - Command arguments in ``subprocess`` log messages are now quoted using ``shlex.quote()``. (`6290 <https://github.com/pypa/pip/issues/6290>`_) - Prefix warning and error messages in log output with `WARNING` and `ERROR`. (`6298 <https://github.com/pypa/pip/issues/6298>`_) - Using ``--build-options`` in a PEP 517 build now fails with an error, rather than silently ignoring the option. (`6305 <https://github.com/pypa/pip/issues/6305>`_) - Error out with an informative message if one tries to install a ``pyproject.toml``-style (PEP 517) source tree using ``--editable`` mode. (`6314 <https://github.com/pypa/pip/issues/6314>`_) - When downloading a package, the ETA and average speed now only update once per second for better legibility. (`6319 <https://github.com/pypa/pip/issues/6319>`_) Bug Fixes --------- - The stdout and stderr from VCS commands run by pip as subprocesses (e.g. ``git``, ``hg``, etc.) no longer pollute pip's stdout. (`1219 <https://github.com/pypa/pip/issues/1219>`_) - Fix handling of requests exceptions when dependencies are debundled. (`4195 <https://github.com/pypa/pip/issues/4195>`_) - Make pip's self version check avoid recommending upgrades to prereleases if the currently-installed version is stable. (`5175 <https://github.com/pypa/pip/issues/5175>`_) - Fixed crash when installing a requirement from a URL that comes from a dependency without a URL. (`5889 <https://github.com/pypa/pip/issues/5889>`_) - Improve handling of file URIs: correctly handle `file://localhost/...` and don't try to use UNC paths on Unix. (`5892 <https://github.com/pypa/pip/issues/5892>`_) - Fix ``utils.encoding.auto_decode()`` ``LookupError`` with invalid encodings. ``utils.encoding.auto_decode()`` was broken when decoding Big Endian BOM byte-strings on Little Endian or vice versa. (`6054 <https://github.com/pypa/pip/issues/6054>`_) - Fix incorrect URL quoting of IPv6 addresses. (`6285 <https://github.com/pypa/pip/issues/6285>`_) - Redact the password from the extra index URL when using ``pip -v``. (`6295 <https://github.com/pypa/pip/issues/6295>`_) - The spinner no longer displays a completion message after subprocess calls not needing a spinner. It also no longer incorrectly reports an error after certain subprocess calls to Git that succeeded. (`6312 <https://github.com/pypa/pip/issues/6312>`_) - Fix the handling of editable mode during installs when ``pyproject.toml`` is present but PEP 517 doesn't require the source tree to be treated as ``pyproject.toml``-style. (`6370 <https://github.com/pypa/pip/issues/6370>`_) - Fix ``NameError`` when handling an invalid requirement. (`6419 <https://github.com/pypa/pip/issues/6419>`_) Vendored Libraries ------------------ - Updated certifi to 2019.3.9 - Updated distro to 1.4.0 - Update progress to 1.5 - Updated pyparsing to 2.4.0 - Updated pkg_resources to 41.0.1 (via setuptools) Improved Documentation ---------------------- - Make dashes render correctly when displaying long options like ``--find-links`` in the text. (`6422 <https://github.com/pypa/pip/issues/6422>`_) ``` ### 19.0.3 ``` =================== Bug Fixes --------- - Fix an ``IndexError`` crash when a legacy build of a wheel fails. (`6252 <https://github.com/pypa/pip/issues/6252>`_) - Fix a regression introduced in 19.0.2 where the filename in a RECORD file of an installed file would not be updated when installing a wheel. (`6266 <https://github.com/pypa/pip/issues/6266>`_) ``` ### 19.0.2 ``` =================== Bug Fixes --------- - Fix a crash where PEP 517-based builds using ``--no-cache-dir`` would fail in some circumstances with an ``AssertionError`` due to not finalizing a build directory internally. (`6197 <https://github.com/pypa/pip/issues/6197>`_) - Provide a better error message if attempting an editable install of a directory with a ``pyproject.toml`` but no ``setup.py``. (`6170 <https://github.com/pypa/pip/issues/6170>`_) - The implicit default backend used for projects that provide a ``pyproject.toml`` file without explicitly specifying ``build-backend`` now behaves more like direct execution of ``setup.py``, and hence should restore compatibility with projects that were unable to be installed with ``pip`` 19.0. This raised the minimum required version of ``setuptools`` for such builds to 40.8.0. (`6163 <https://github.com/pypa/pip/issues/6163>`_) - Allow ``RECORD`` lines with more than three elements, and display a warning. (`6165 <https://github.com/pypa/pip/issues/6165>`_) - ``AdjacentTempDirectory`` fails on unwritable directory instead of locking up the uninstall command. (`6169 <https://github.com/pypa/pip/issues/6169>`_) - Make failed uninstalls roll back more reliably and better at avoiding naming conflicts. (`6194 <https://github.com/pypa/pip/issues/6194>`_) - Ensure the correct wheel file is copied when building PEP 517 distribution is built. (`6196 <https://github.com/pypa/pip/issues/6196>`_) - The Python 2 end of life warning now only shows on CPython, which is the implementation that has announced end of life plans. (`6207 <https://github.com/pypa/pip/issues/6207>`_) Improved Documentation ---------------------- - Re-write README and documentation index (`5815 <https://github.com/pypa/pip/issues/5815>`_) ``` ### 19.0.1 ``` =================== Bug Fixes --------- - Fix a crash when using --no-cache-dir with PEP 517 distributions (`6158 <https://github.com/pypa/pip/issues/6158>`_, `6171 <https://github.com/pypa/pip/issues/6171>`_) ``` ### 19.0 ``` ================= Deprecations and Removals ------------------------- - Deprecate support for Python 3.4 (`6106 <https://github.com/pypa/pip/issues/6106>`_) - Start printing a warning for Python 2.7 to warn of impending Python 2.7 End-of-life and prompt users to start migrating to Python 3. (`6148 <https://github.com/pypa/pip/issues/6148>`_) - Remove the deprecated ``--process-dependency-links`` option. (`6060 <https://github.com/pypa/pip/issues/6060>`_) - Remove the deprecated SVN editable detection based on dependency links during freeze. (`5866 <https://github.com/pypa/pip/issues/5866>`_) Features -------- - Implement PEP 517 (allow projects to specify a build backend via pyproject.toml). (`5743 <https://github.com/pypa/pip/issues/5743>`_) - Implement manylinux2010 platform tag support. manylinux2010 is the successor to manylinux1. It allows carefully compiled binary wheels to be installed on compatible Linux platforms. (`5008 <https://github.com/pypa/pip/issues/5008>`_) - Improve build isolation: handle ``.pth`` files, so namespace packages are correctly supported under Python 3.2 and earlier. (`5656 <https://github.com/pypa/pip/issues/5656>`_) - Include the package name in a freeze warning if the package is not installed. (`5943 <https://github.com/pypa/pip/issues/5943>`_) - Warn when dropping an ``--[extra-]index-url`` value that points to an existing local directory. (`5827 <https://github.com/pypa/pip/issues/5827>`_) - Prefix pip's ``--log`` file lines with their timestamp. (`6141 <https://github.com/pypa/pip/issues/6141>`_) Bug Fixes --------- - Avoid creating excessively long temporary paths when uninstalling packages. (`3055 <https://github.com/pypa/pip/issues/3055>`_) - Redact the password from the URL in various log messages. (`4746 <https://github.com/pypa/pip/issues/4746>`_, `6124 <https://github.com/pypa/pip/issues/6124>`_) - Avoid creating excessively long temporary paths when uninstalling packages. (`3055 <https://github.com/pypa/pip/issues/3055>`_) - Avoid printing a stack trace when given an invalid requirement. (`5147 <https://github.com/pypa/pip/issues/5147>`_) - Present 401 warning if username/password do not work for URL (`4833 <https://github.com/pypa/pip/issues/4833>`_) - Handle ``requests.exceptions.RetryError`` raised in ``PackageFinder`` that was causing pip to fail silently when some indexes were unreachable. (`5270 <https://github.com/pypa/pip/issues/5270>`_, `5483 <https://github.com/pypa/pip/issues/5483>`_) - Handle a broken stdout pipe more gracefully (e.g. when running ``pip list | head``). (`4170 <https://github.com/pypa/pip/issues/4170>`_) - Fix crash from setting ``PIP_NO_CACHE_DIR=yes``. (`5385 <https://github.com/pypa/pip/issues/5385>`_) - Fix crash from unparsable requirements when checking installed packages. (`5839 <https://github.com/pypa/pip/issues/5839>`_) - Fix content type detection if a directory named like an archive is used as a package source. (`5838 <https://github.com/pypa/pip/issues/5838>`_) - Fix listing of outdated packages that are not dependencies of installed packages in ``pip list --outdated --not-required`` (`5737 <https://github.com/pypa/pip/issues/5737>`_) - Fix sorting ``TypeError`` in ``move_wheel_files()`` when installing some packages. (`5868 <https://github.com/pypa/pip/issues/5868>`_) - Fix support for invoking pip using ``python src/pip ...``. (`5841 <https://github.com/pypa/pip/issues/5841>`_) - Greatly reduce memory usage when installing wheels containing large files. (`5848 <https://github.com/pypa/pip/issues/5848>`_) - Editable non-VCS installs now freeze as editable. (`5031 <https://github.com/pypa/pip/issues/5031>`_) - Editable Git installs without a remote now freeze as editable. (`4759 <https://github.com/pypa/pip/issues/4759>`_) - Canonicalize sdist file names so they can be matched to a canonicalized package name passed to ``pip install``. (`5870 <https://github.com/pypa/pip/issues/5870>`_) - Properly decode special characters in SVN URL credentials. (`5968 <https://github.com/pypa/pip/issues/5968>`_) - Make ``PIP_NO_CACHE_DIR`` disable the cache also for truthy values like ``"true"``, ``"yes"``, ``"1"``, etc. (`5735 <https://github.com/pypa/pip/issues/5735>`_) Vendored Libraries ------------------ - Include license text of vendored 3rd party libraries. (`5213 <https://github.com/pypa/pip/issues/5213>`_) - Update certifi to 2018.11.29 - Update colorama to 0.4.1 - Update distlib to 0.2.8 - Update idna to 2.8 - Update packaging to 19.0 - Update pep517 to 0.5.0 - Update pkg_resources to 40.6.3 (via setuptools) - Update pyparsing to 2.3.1 - Update pytoml to 0.1.20 - Update requests to 2.21.0 - Update six to 1.12.0 - Update urllib3 to 1.24.1 Improved Documentation ---------------------- - Include the Vendoring Policy in the documentation. (`5958 <https://github.com/pypa/pip/issues/5958>`_) - Add instructions for running pip from source to Development documentation. (`5949 <https://github.com/pypa/pip/issues/5949>`_) - Remove references to removed ``egg=<name>-<version>`` functionality (`5888 <https://github.com/pypa/pip/issues/5888>`_) - Fix omission of command name in HTML usage documentation (`5984 <https://github.com/pypa/pip/issues/5984>`_) ``` ### 18.1 ``` ================= Features -------- - Allow PEP 508 URL requirements to be used as dependencies. As a security measure, pip will raise an exception when installing packages from PyPI if those packages depend on packages not also hosted on PyPI. In the future, PyPI will block uploading packages with such external URL dependencies directly. (`4187 <https://github.com/pypa/pip/issues/4187>`_) - Allows dist options (--abi, --python-version, --platform, --implementation) when installing with --target (`5355 <https://github.com/pypa/pip/issues/5355>`_) - Support passing ``svn+ssh`` URLs with a username to ``pip install -e``. (`5375 <https://github.com/pypa/pip/issues/5375>`_) - pip now ensures that the RECORD file is sorted when installing from a wheel file. (`5525 <https://github.com/pypa/pip/issues/5525>`_) - Add support for Python 3.7. (`5561 <https://github.com/pypa/pip/issues/5561>`_) - Malformed configuration files now show helpful error messages, instead of tracebacks. (`5798 <https://github.com/pypa/pip/issues/5798>`_) Bug Fixes --------- - Checkout the correct branch when doing an editable Git install. (`2037 <https://github.com/pypa/pip/issues/2037>`_) - Run self-version-check only on commands that may access the index, instead of trying on every run and failing to do so due to missing options. (`5433 <https://github.com/pypa/pip/issues/5433>`_) - Allow a Git ref to be installed over an existing installation. (`5624 <https://github.com/pypa/pip/issues/5624>`_) - Show a better error message when a configuration option has an invalid value. (`5644 <https://github.com/pypa/pip/issues/5644>`_) - Always revalidate cached simple API pages instead of blindly caching them for up to 10 minutes. (`5670 <https://github.com/pypa/pip/issues/5670>`_) - Avoid caching self-version-check information when cache is disabled. (`5679 <https://github.com/pypa/pip/issues/5679>`_) - Avoid traceback printing on autocomplete after flags in the CLI. (`5751 <https://github.com/pypa/pip/issues/5751>`_) - Fix incorrect parsing of egg names if pip needs to guess the package name. (`5819 <https://github.com/pypa/pip/issues/5819>`_) Vendored Libraries ------------------ - Upgrade certifi to 2018.8.24 - Upgrade packaging to 18.0 - Upgrade pyparsing to 2.2.1 - Add pep517 version 0.2 - Upgrade pytoml to 0.1.19 - Upgrade pkg_resources to 40.4.3 (via setuptools) Improved Documentation ---------------------- - Fix "Requirements Files" reference in User Guide (`user_guide_fix_requirements_file_ref <https://github.com/pypa/pip/issues/user_guide_fix_requirements_file_ref>`_) ``` ### 18.0 ``` ================= Process ------- - Switch to a Calendar based versioning scheme. - Formally document our deprecation process as a minimum of 6 months of deprecation warnings. - Adopt and document NEWS fragment writing style. - Switch to releasing a new, non-bug fix version of pip every 3 months. Deprecations and Removals ------------------------- - Remove the legacy format from pip list. (3651, 3654) - Dropped support for Python 3.3. (3796) - Remove support for cleaning up egg fragment postfixes. (4174) - Remove the shim for the old get-pip.py location. (5520) For the past 2 years, it's only been redirecting users to use the newer https://bootstrap.pypa.io/get-pip.py location. Features -------- - Introduce a new --prefer-binary flag, to prefer older wheels over newer source packages. (3785) - Improve autocompletion function on file name completion after options which have ``<file>``, ``<dir>`` or ``<path>`` as metavar. (4842, 5125) - Add support for installing PEP 518 build dependencies from source. (5229) - Improve status message when upgrade is skipped due to only-if-needed strategy. (5319) Bug Fixes --------- - Update pip's self-check logic to not use a virtualenv specific file and honor cache-dir. (3905) - Remove compiled pyo files for wheel packages. (4471) - Speed up printing of newly installed package versions. (5127) - Restrict install time dependency warnings to directly-dependant p